Method and system for detecting fraud

ABSTRACT

A system and method for detecting fraud when facilitating a payment transaction over a global wide area network. The method comprises receiving a sale information, receiving a payment information from a buyer, and analyzing a transaction information for fraud. If the analyzing indicates fraud, an enhanced transaction information is communicated to a human for fraud analysis. In one embodiment, the method comprises performing rule-based analyses to determine whether the transaction appears to be fraudulent. Rule-based analyses may include suspect data rules and velocity rules. Velocity rules generally determine whether there has been excessive activity that may lead to a conclusion that the transaction may be fraudulent. Suspect data rules are used to determine whether the billing, shipping, selling addresses, telephone numbers, and account numbers, and other data are in a syntactically correct format and whether they exist. In one embodiment, the method further comprises performing simple screening of the transaction information. In one embodiment, the method further comprises seeking approval from a third party such as a financial institution based on the payment information. The method may be implemented as part of a system that includes personal computers, server computers, and other personal computing devices, some of which may communicate over the Internet, and others which may communicate via dedicated communication lines.

FIELD OF THE INVENTION

The invention relates to detecting fraud in a networked system thatfacilitates a payment transaction between two parties. Morespecifically, the invention relates to a system and method for detectingfraud in which an Internet web site serves as a payment facilitator whena first party wishes to pay a second party for goods, services, etc.

BACKGROUND

Traditionally, classified advertisements and other newspaper, specialtypaper, and magazine advertisements and listings provide a way for aseller of goods or services to advertise in an attempt to obtain a buyerfor the goods or services. However, when a transaction is agreed upon,the buyer and seller enter an awkward time, particularly when thetransaction takes place across a great geographical distance. Thepersons and smaller businesses taking advantage of classifiedadvertisements and similar listings do not typically accept payment bycredit card or bank debit card. Checks and money orders are generallyused. The buyer may send a check or money order by letter to the seller,and the seller may either simultaneously with the sending of the fundsor upon receipt of the funds, send the goods to the buyer. The buyer andseller must trust one another. Each runs the risk of encountering aswindle and being the victim of fraud. The same applies when servicesare purchased over a great distance. In addition, there is a delay inthe buyer receiving the goods or services when the seller waits for acheck to be mailed and then clear before shipping the item or activatingthe service.

On-line sale facilitating systems have given new life to person toperson long distance sale of goods and services. Rather than selling vialocal magazines, specialty papers, and newspaper classifieds andlistings, persons are using on-line sale facilitating systems to selllocally, nationally and internationally via the Internet.

The Internet and personal computers have become ubiquitous in modernsociety. Although the Internet has existed in various forms for manyyears, the Internet became popular as a mass communication vehicle withthe introduction of the world wide web. The world wide web is, from theuser's perspective, a way of easily identifying a remote computer,connecting to the remote computer, and viewing information stored on theremote computer. Remote computers that provide a vehicle for the sale ofgoods and services have become very popular. These systems are referredto herein as sale facilitating systems. EBAY® is an example of a salefacilitating system. However, even with this new technology, buyers andsellers must still trust one another as each still runs the risk ofencountering a swindle and being the victim of fraud while funds andgoods are exchanged by mail.

While using the Internet, hidden from the user are the variouscommunications protocols that make the Internet function. Variouscommittees and ad hoc groups known as working groups coordinate andcontrol the Internet. The Internet Engineering Task Force (IETF) is theprotocol engineering and development arm of the Internet. Working groupsunder the IETF determine the rules and protocols for the underlyingfunctionality of the Internet and publish them as requests for comment,commonly referred to as RFCs. Each working group makes its RFCsavailable via the Internet at various web sites. Information iscommunicated over the Internet via the transmission controlprotocol/Internet protocol (TCP/IP) and hypertext transfer protocol(HTTP). Many personal computers utilize the point to point protocol(PPP) to communicate with an internet service provider to obtain a linkto the Internet. More information is available from T. Socolofsky and C.Kale, A TCP/IP Tutorial, RFC 1180, January 1991,http://www.ietf.org/rfc/rfc1180.txt; R. Fielding et al., HypertextTransfer Protocol—HTTP/1.1, RFC 2616, June 1999 (Draft Standard),http://www.ietf.org/rfc/rfc2616.txt; and W. Simpson, Editor, ThePoint-to-Point Protocol, RFC 1661, http://www.ietf.org/rfc/rfc1661.txt.

To make on-line and off-line purchases easier, payment facilitators thatallow buyers to purchase from sellers via credit cards and debit cardseliminate the uneasiness of long distance purchases originating fromtraditional classified advertisements, on-line classified advertisement,on-line sale facilitating systems such as EBAY®, and others. To maketheir service safe and secure, payment facilitators should check forpotential fraudulent transactions when processing payment transactions.

BRIEF SUMMARY OF THE INVENTION

A system and method for detecting fraud when facilitating a paymenttransaction over a global wide area network. The method comprisesreceiving a sale information, receiving a payment information from abuyer, and analyzing a transaction information for fraud. If theanalyzing indicates fraud, an enhanced transaction information iscommunicated to a human for fraud analysis. In one embodiment, themethod comprises performing rule-based analyses to determine whether thetransaction appears to be fraudulent. Rule-based analyses may includesuspect data rules and velocity rules. Velocity rules generallydetermine whether there has been excessive activity that may lead to aconclusion that the transaction may be fraudulent. Suspect data rulesare used to determine whether the billing, shipping, selling addresses,telephone numbers, and account numbers, and other data are in asyntactically correct format and whether they exist. In one embodiment,the method further comprises performing simple screening of thetransaction information. In one embodiment, the method further comprisesseeking approval from a third party such as a financial institutionbased on the payment information. The method may be implemented as partof a system that includes personal computers, server computers, andother personal computing devices, some of which may communicate over theInternet, and others which may communicate via dedicated communicationlines.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 depicts a networked environment in which the fraud detectionmethod and system of the present invention may be implemented.

FIG. 2 depicts a software architecture and software components of oneembodiment of the fraud detection method and system of the presentinvention.

FIG. 3 depicts a general flow of actions taken according to oneembodiment of the fraud detection method and system of the presentinvention.

FIG. 4 depicts a more detailed flow of actions taken according to oneembodiment of the fraud detection method and system of the presentinvention.

DETAILED DESCRIPTION

FIG. 1 depicts a networked environment in which the fraud detectionmethod and system of the present invention may be implemented. In thisembodiment, the method is implemented as software stored in and executedby a server computer such as payment facilitator computer 10. Paymentfacilitator computer 10 may be any server computer that can executesoftware programs and access a global communications network such as theInternet. In one embodiment, payment facilitator computer 10 comprisesprocessor 12 and memory 14. Processor 12 may be any computer processor,and memory 14 may be any random access memory (RAM) or other readableand writeable memory device.

The method and system for detecting fraud in a networked system thatfacilitates a payment transaction between two parties is referred to,for ease of reference, as fraud detection software and the frauddetection system. Processor 12 executes the fraud detection softwareutilizing memory 14. Information, including the fraud detectionsoftware, is read from and written to disk drive 16 which is coupled tothe payment facilitator computer via disk controller 18. Disk drive 16may be a hard disk drive, a readable and writeable compact disk (CDRW)drive, a floppy disk drive, etc. In addition, disk drive 16 may be anydevice by which a machine may read from a machine readable medium suchas the devices already mentioned, as well as, but not limited to, astick or card memory device, a digital audio tape (DAT) reader, etc. Theprocessor may communicate instructions to display controller 20 todisplay images on display device 22. Display controller 20 may be anydisplay controller, and display device 22 may be any display monitor,including, but not limited to, a CRT display monitor, or TFT displayscreen. A system administrator or other similar person accesses paymentfacilitator computer 10 via any computer input device, such as, forexample, keyboard 24 and mouse 26 which are coupled to the processor byI/O controller 28.

Payment facilitator computer 10 also includes network interface 30. Inthis embodiment, the payment facilitator computer 10 communicates with awide area network, or, in one embodiment, the Internet 34. Networkinterface 30 may be an analog modem, a digital modem, a cable modem, anEthernet card, or any other kind of network access device that allowsfor connection to the Internet 34 via an analog telephone line, digitalsubscriber line (DSL), cable television line, T1 line, or any other linecapable of communicating information over a network. Processor 12,memory 14, disk controller 18, display controller 20, I/O controller 28,and network interface 30, are coupled to one another via and communicatewith one another over bus 32. Bus 32 may be any bus that provides forcommunication of and between components within a computer. Although onlyone bus is depicted, multiple buses may be used in personal computer 10.In addition, other components and controllers (not depicted) or multipleinstances of depicted components and controllers may be included inpayment facilitator computer 10. In one embodiment, payment facilitatorcomputer 10 communicates over the Internet via network interface 30 andreceives information from and communicates information to devicesconnected to the Internet such as seller computer 35 and buyer computer36.

Although only one payment facilitator computer 10 is depicted, a paymentfacilitator system may be comprised of multiple computers in the form ofa local area network (LAN), grouping, subnetwork, etc. (not shown). Thispayment facilitator system grouping, LAN, subnetwork, etc. may beconnected to the Internet or other global communications network, in oneembodiment, via one or more firewalls or other security devices andsystems so that the payment facilitator computer is separated from theInternet for security purposes. The payment facilitator computer orsystem may be comprised of graphics servers, application servers andother specialized, dedicated servers (not shown).

In one embodiment, seller computer 35 may be any kind of personalcomputing device that can execute programs and access a globalcommunications network such as the Internet, including, but not limitedto, cellular telephones, personal digital assistants, desktop personalcomputers, portable computers, computer workstations, etc. In oneembodiment, seller computer 35 comprises processor 44, which may be anycomputer processor, and memory 46, which may be any random access memory(RAM) or other readable and writeable memory device. Software programs,including a web browser and Internet communication and connectionsoftware, and other information are stored on disk drive 48 which iscoupled to seller computer via disk controller 50. Disk drive 48 may bea hard disk drive, a readable and writeable compact disk (CDRW) drive, afloppy disk drive, etc. and may also be any other kind of storagedevice, such as, but not limited to, a stick or card memory device, adigital audio tape (DAT) reader, etc. The processor may communicateinstructions to display controller 52 to display images on displaydevice 54. Display controller 52 may be any display controller, anddisplay device 54 may be any display monitor, including, but not limitedto, a CRT display monitor, or TFT display screen. A user accesses sellercomputer 35 via any computer input device, such as, for example,keyboard 56 and mouse 58 which are coupled to the processor by I/Ocontroller 60.

Seller computer 35 also includes network interface 62. In oneembodiment, the seller computer communicates over the Internet 34 toaccess payment facilitator computer 10. Network interface 64 may be ananalog modem, a digital modem, a cable modem, or any other kind ofnetwork access device that allows for connection to the Internet, orother global communications network. Processor 44, memory 46, diskcontroller 50, display controller 52, I/O controller 60, and networkinterface 62, are coupled to one another via and communicate with oneanother over bus 64. In addition, other components and controllers (notdepicted) or multiple instances of depicted components and controllersmay be included in seller computer 35.

Buyer computer 36 may be any personal computing device such as thatdescribed with regard to seller computer 35. Similarly, fraudinvestigator computer 38 may be any personal computing device such asthat described with regard to seller computer 35. In addition, financialinstitution computer 40 may be any computer such as that described withregard to payment facilitator computer 10. Although referred to hereinas financial institution computer 40, the financial institution may be atraditional financial institution such as a bank, savings and loan, orcredit union, and may also be a clearinghouse for credit cardtransactions, electronic check transactions, debit card transactions,etc.

In one embodiment, payment facilitator computer 10 communicates over theInternet via network interface 30 and receives information from andcommunicates information to other computers and personal computingdevices connected to the Internet such as seller computer 35 and buyercomputer 36. Although only one each of buyer computer 36 and sellercomputer 35 are depicted, multiple buyers and sellers with personalcomputing devices may utilize the services provided by the frauddetection software executing on payment facilitator computer 10 bycommunicating over the Internet. Communications by buyer and sellerpersonal computing devices via the Internet may be accomplished by landline, wireless or other methods of communication.

In one embodiment, fraud investigator computer 38 and financialinstitution computer 40 do not connect with payment facilitator computer10 via the Internet. Rather, in one embodiment, a dedicated line such aDSL line, T1 line, etc. connect financial institution computer 40 withpayment facilitator computer 10. In another embodiment, a securewireless connection may be used between financial institution computer40 with payment facilitator computer 10. In one embodiment, fraudinvestigator computer 38 is connected to payment facilitator computeroutside of the Internet or other global communications network in aprivate LAN. In another embodiment, there may be multiple instances offraud investigator computers and financial institution computers,although only one of each is depicted. Fraud investigators maycommunicate by email with buyers and sellers. In one embodiment, allemail communication involving the fraud investigator computers is routedthrough the payment facilitator computer, payment facilitator system,and/or, in other embodiments, is routed through the payment facilitatorgrouping, firewalls, LAN, etc.

FIG. 2 depicts a software architecture and software components of oneembodiment of the fraud detection method and system of the presentinvention. Payment facilitator computer 200 includes payment processingsoftware 202. In one embodiment, fraud detection software 204 isimplemented as a component of payment processing software 202.Authorization software 206 is also implemented, in one embodiment, aspart of payment processing software 202. In another embodiment,authorization software 206 may be implemented as part of fraud detectionsoftware 204. Payment facilitator computer 200 includes email software208 that allows payment processing software 202 to send and receiveemail messages.

Operating system, communications software and Internet software,collectively 212, provide file system support, Internet connectivitysupport, computer communications support, and other typical operatingsystems features. The operating system, communications software and theInternet software 212 may be combined as one entity as depicted, or mayexist separate from one another. In one embodiment, payment processingsoftware 202 accesses the Internet and communicates with buyer computerssuch as buyer computer 250 and seller computers such as seller computer260 with the Internet software. In this embodiment, payment processingsoftware 202 accesses the local file system and local system resourcesvia the operating system, and accesses fraud investigator computer 220and financial institution computer 230 via the communications software.In one embodiment, the communications software provides support forcommunications over any dedicated computer communication line.

Fraud investigator computer 220 includes web browser 222, email software224, and operating system and communications software 226. The operatingsystem and communications software may be combined as one entity asdepicted, or may exist separately. Upon determining that a paymenttransaction may involve fraud, in one embodiment, fraud detectionsoftware 204 sends an email message via email software 208 andcommunications software to a human fraud investigator at fraudinvestigator computer 224 over a dedicated communications connectionsuch as an Ethernet cable, T1 line, or wirelessly. The fraudinvestigator retrieves the email message using email software 224. Inanother embodiment, the fraud investigator computer is capable ofcommunication over the Internet such that the fraud notification emailmessage may be sent to the fraud investigator via the Internet. In yetanother embodiment, payment facilitator computer 200 and fraudinvestigator computer 220 may include instant messaging software (notshown) so that an instant message is sent by the fraud detectionsoftware upon determining that a payment transaction may include fraud.In another embodiment, multiple fraud investigators may communicate withthe payment facilitator computer over a LAN or other private network. Inthis embodiment, email messages or instant messages may be sent via theLAN. In addition, fraud investigators may communicate via email messageswith buyers and sellers. In one embodiment, the fraud investigator'semail messages are sent over the Internet through payment facilitatorcomputer 200. In other embodiments, email from the fraud investigatorsis routed through the payment facilitator LAN, grouping, etc.

In one embodiment, financial institution computer 230 includesauthorization software 232 and operating system and communicationsoftware, combined as 234. In this embodiment, authorization software206 of payment processing software 202 may seek authorization of apayment transaction by communicating over a direct connection tofinancial institution computer 230. Financial institution computer 230may be a clearinghouse for credit card and/or debit card transactions orserve only one financial institution. Companies that providesauthorization services are, for example, Paymentech of Dallas, Tex. andFirst Data Merchant Services (FDMS) of Englewood, Colo. Upon receiving arequest for authorization of a payment transaction via operating systemand communications software 234, authorization software 232 processesthe request and returns a response. Although only one financialinstitution computer is depicted, in another embodiment, the paymentfacilitator computer or payment facilitator system may communicate withmultiple financial institution computers. In one embodiment, the paymentfacilitator computer communicates with financial institution computer(s)over a direct line rather than over the Internet for security and suretyof connectivity. In another embodiment, the payment facilitator computermay communicate with financial institution computers via the Internet.In yet another embodiment, the payment facilitator computer maycommunicate with the financial institution computer(s) via a securewireless connection.

In one embodiment, fraud detection software 204 accesses informationabout the transaction history of buyers and sellers, reviews blacklistsand stores and obtains other pertinent data by communicating withdatabase software 210 and accessing one or more databases stored onpayment facilitator computer 200. Database software 210 may providesupport for any well known database system that implements, in oneembodiment, structured query language (SQL), or any other well knowndatabase languages. In another embodiment, fraud detection software 204communicates with database software 210 which accesses database server240 via Java Database Connectivity (JDBC) and/or the Open DatabaseConnectivity (ODBC) application programming interfaces to accessdatabase software 242 to store and obtain pertinent information.Database server 240 includes operating system and communicationssoftware 246. Database software 242 may provide support for any wellknown database system that implements, in one embodiment, SQL, or anyother well known database languages. In another embodiment, frauddetection software 204 may check for fraud by issuing queries regardinginformation provided by the buyers and sellers, checking blacklists ofvarious information included with the transaction data, checking withexternal credit bureaus, etc. by communicating with one or more thirdparty database servers, one or more third party blacklist servers, oneor more external credit bureaus, etc. In one embodiment, financialinstitution computer 230 may also serve as a third party databaseserver, third party blacklist server, external credit bureau, etc.

Buyer computer 250 and seller computer 260 may each communicate withpayment facilitator computer 200 over the Internet 216, or other widearea network. Users of the payment facilitator system represented bypayment processing software 202 on payment facilitator computer 200communicate with payment facilitator computer 200 via web browsers 252and 262 on buyer computer 250 and seller computer 260. Web browsers 252and 262 access the Internet 216 and access local file system and localsystem resources via operating system and Internet software 256 and 266.The Internet software provides support for TCP/IP, PPP and other networkcommunications protocols. The web browsers support communication viaHTTP and other application level protocols. An example of a web browseris Netscape Navigator available from Netscape Communications of MountainView, Calif.

FIG. 3 depicts a general flow of actions taken according to oneembodiment of the fraud detection method and system of the presentinvention. After a buyer and seller agree to participate in a sale ofgoods or services, as shown in block 300, the seller provides saleinformation to the payment facilitator system, as shown in block 302. Inone embodiment, the seller provides at least a sale price for thegood(s), a description of the goods, the email address of the buyer, andan identifier of the buyer such as a name, and may also provide adetailed description of the good(s), information about the buyer such asthe buyer's name, email address, billing address, shipping address, etc.In one embodiment, the sale information may also include sellerinformation such as the bank account, credit card account, or otheraccount which will be credited upon completion of the sale. In anotherembodiment, the seller may provide seller information prior to providingthe sale information, such as when creating a seller's account with thepayment facilitator system. In one embodiment, the seller's internetprotocol (IP) address is saved and stored with the seller informationand/or with the transaction information. The IP address may be gleanedfrom examination of incoming packets of data from the seller when theseller is communicating with the payment facilitator system.

In one embodiment, the sale information and the seller information areprovided by the seller by communicating to the payment facilitatorsystem via a web site interface provided to the seller by the paymentfacilitator system. In one embodiment, the payment facilitator systemprovides for the communication of programs and data that result in thedisplay of images and information on a seller's display screen. Forexample, the payment facilitator system may package JAVA® applets andhyper-text markup language (HTML) code that is communicated via HTTPover TCP/IP with the user. The user interface provided by the paymentfacilitator system may include well known user interface items such asicons, text data entry fields, menus, buttons, sliders, and the like. Inone embodiment, dates, credit card issuers, banks, etc. may be providedas items in menus accessible via any well known method. In this way, theamount of text required to be entered by a user is minimized, and theease of use of the system is enhanced. In one embodiment, thecommunications between the seller computer and the payment facilitatorcomputer are made secure by use of encryption and security techniquessuch as secure HTTP, secured sockets layer (SSL) encryption, and/or thetransport layer security (TLS) protocol. More information on SSL isavailable from Netscape Communications of Mountain View, Calif. andadditional information concerning TLS is available in E. Rescorla, HTTPOver TLS, RFC 2818, http://www.ietf.org/rfc/rfc2818.txt, May 2000.

In one embodiment, the negotiations and agreement to sell may haveoccurred on a computer system via a sale facilitating system such asEBAY®. In this embodiment, the sale information may be provided via adirect communications link to the sale facilitating system. In anotherembodiment, the sale negotiations and agreement between the buyer andseller may have occurred by mailed correspondence or by telephone, andmay have been initiated by viewing an offering of goods or services forsale by a classified advertisement on-line, classified advertisement orlisting in a newspaper, specialty paper, or magazine, or by any othermethod that connects buyers with sellers. In this embodiment, the buyerand seller agree to use the payment facilitator system, and the sellerthen begins the payment transaction process by connecting to the paymentfacilitator web site.

After receiving the sale information, the payment facilitator systemprepares an invoice and emails the invoice to the buyer, as shown inblocks 304 and 306. In one embodiment, the invoice includes at least adescription of the goods or services the buyer agreed to purchase andthe sale price, and may include further information such as the seller'scontact information, namely the seller's email address, mailing address,telephone number, etc. In another embodiment, the payment facilitatormay prepare an invoice, and email a notification to the buyer that aninvoice is ready for retrieval at a specified location within thepayment facilitator web site such as at a specified uniform resourcelocator (URL) or uniform resource identifier (URI). In response toreceiving or viewing the invoice, the buyer then communicates with thepayment facilitator web site, and the buyer provides payment informationto the payment facilitator system, as shown in block 308. In oneembodiment, the payment information includes a billing addressinformation, a shipping address information, and a financial accountinformation. The financial account information must include one of acredit card account number, a debit card account number, a bank accountnumber, etc. and may include related information such as an expirationdate, an issuing institution name and address, etc. The billing andshipping address information may include the name of a person, streetaddress, city, state, zip code, and day and night telephone numbers. Thepayment information may also include the buyer's email address, screenname, account name, or other identifier and identifying information. Inone embodiment, the buyer's IP address is saved and stored with thepayment information and/or with the transaction information. The IPaddress may be gleaned from examination of incoming packets of data fromthe buyer when the buyer is communicating with the payment facilitatorsystem.

Upon receipt of the transaction information, the payment facilitatorsystem analyzes the transaction information for fraud, as shown in block310. How this is achieved is discussed in more detail below with regardto FIG. 4. A check is then made to determine whether the transactionappears to be fraudulent, as shown in block 312. If the transaction doesnot appear to be fraudulent, the payment facilitator system debits thebuyer's account and sends an email message instructing the seller tocomplete the sale, as shown in block 314. In response to such an emailmessage, the seller then sends the good(s) to the buyer in anagreed-upon manner. In one embodiment, the payment facilitator systemthen credits the seller's financial account upon receipt of an emailnote from the buyer confirming completion of the sale or after aspecified period of time, as shown in block 316. In this embodiment, theseller's account is credited when the buyer confirms that the good(s)have been received. Alternatively, in this embodiment, if the buyerfails to confirm receipt of the good(s) and does not inform the paymentfacilitator system that the good(s) were not received, the seller'saccount is credited for the sale. In another embodiment, the paymentfacilitator system may send an email message to the buyer asking thebuyer to confirm receipt of the goods. This message could also statethat if no response to the email message is received, the buyer'saccount will be debited and/or the seller's account will be credited ifno response is receive within a specified period of time.

If the transaction appears to be fraudulent, as shown in block 312, thepayment facilitator system sends appropriate email messages to the buyerand/or the seller, putting the sale on hold, as shown in block 318. Thepayment facilitator system then communicates information about thepayment transaction and fraud information to a human investigator, asshown in block 320. The human investigator then investigates thetransaction, starting with the fraud information provided as a result ofthe earlier fraud analysis, to determine whether the transaction isfraudulent or appears to have a high possibility of being fraudulent.The fraud investigator then takes whatever action the fraud investigatordeems appropriate, such as communicating with the buyer and/or theseller by email or telephone, contacting local police authorities,contacting the FBI, etc. The fraud investigator may cancel or allow thesale based on the results of the investigation. If the investigatorallows the transaction, actions according to blocks 314 and 316discussed above are then executed.

In one embodiment, after the buyer and seller agree on a sale, the saleinformation may be communicated to the payment facilitator system by thebuyer. In this embodiment, the seller may have already registered withthe system, and the buyer provides pertinent sale information to thepayment facilitator system. This sale information may include thepayment information regarding the buyer as discussed above regardingblock 308, as well as specific information identifying the saletransaction such as a description of the goods or services the buyeragreed to purchase and the sale price, and may include furtherinformation such as the seller's contact information, namely theseller's email address, mailing address, telephone number, etc. Thepayment facilitator system then sends an email sale confirmation requestto the seller. In various embodiments, the seller may respond to theemail to accept the sale transaction, or the seller may accept the saletransaction by communicating with the payment facilitator system via aninternet web interface either independently or by following a URI or URLcontained in the email sale confirmation request. In another embodiment,no email sale confirmation request, and the payment facilitator systemprovides a screen notification to the seller the next time the sellerlogs on to the sale facilitator system. The screen notification may be atext display or an iconic display, or any other user interfacetechnique. The flow of actions then continues with block 310 asdiscussed above.

FIG. 4 depicts a more detailed flow of actions taken according to oneembodiment of the fraud detection method and system of the presentinvention. Fraud detection software receives transaction informationfrom the payment facilitator system, as shown in block 400. Thetransaction information may include information about the seller such asthe seller's contact information, namely email address, user name,mailing address, as well as the seller's specified financial account.That is, the financial account to which the sale will eventually becredited when the sale is complete. The transaction information alsoincludes information about the buyer such as the buyer's billing andshipping address information, the buyer's telephone number(s), thebuyer's email address, the buyer's user name, the financial account thebuyer has selected to use to pay for the transaction. In addition, thetransaction information also includes the price of the good(s) and adescription of the good(s). After the fraud detection software receivesthe transaction information, the fraud detection software performssimple screening, as shown in block 402. Simple screening is the processby which the fraud detection software compares various data contained inthe transaction information with lists of financial account numbers,addresses, email addresses, user names, telephone numbers, etc. known tohave been used with fraudulent transactions and/or obtained from a thirdparty such as a credit card issuer, bank, or specialized serviceprovider. In another embodiment, the lists or blacklists may be obtainedon demand or regularly from a third party such as a bank, credit cardissuer, other financial institution or specialized service providers.Such lists include known stolen credit cards and addresses known to havebeen involved with fraudulent transactions either with any of thepayment facilitator system, the sale facilitating system, and any of themany credit card issuers, banks, other financial institutions,specialized service providers, etc. In one embodiment, the simplescreening compares the fields for which lists exist with the appropriatelist. In this embodiment, if any transaction information is found on anyscreening list, the transaction is blacklisted.

The fraud detection software then checks whether the transaction isblacklisted, as shown in block 404. If the transaction is notblacklisted, the fraud detection software seeks approval from thefinancial institution implicated by the financial account specified bythe buyer, as shown in block 406. In one embodiment, this involvescommunicating with a financial institution such as a credit card issuer,bank, etc. computer via a dedicated line to obtain approval for thetransaction. The fraud detection software then receives a response fromthe financial institution and checks to determine whether thetransaction is approved, as shown in block 408. In practice, thefinancial institution or third party that provides financial accountapproval returns one of a plurality of codes. In one embodiment, thefraud detection software determines whether the code returned should beclassified as an approval or rejection. In another embodiment, the frauddetection software may classify the code as a requiring furtherinformation and automatically issue email messages to the buyer orseller requesting information clarifying the response from the financialinstitution. In this embodiment, one example may be for the frauddetection software to automatically send an email message requestingthat the buyer confirm the billing address, the buyer's name, or otherportion of the transaction information to which the fraud detectionsoftware is directed by the error code. Such a recovery systemeliminates false positives when a simple typo was made by the user. Inone embodiment, if the transaction is blacklisted or if the transactionhas not been approved, the fraud detection software rejects thetransaction, as shown in block 410. In one embodiment, when atransaction is rejected, appropriate email messages are sent to thebuyer and the seller informing them that the payment transaction hasbeen rejected.

If the financial institution approves the transaction, the frauddetection software performs rule-based analysis, assigning a score forthe transaction based on rule violation, as shown in block 420. The listof possible rules is endless. Generally, certain information gleanedfrom the transaction information is compared with other information.This other information may be generally available address look-upinformation to determine whether the seller's address and the shippingand mailing addresses of the buyer exist, or may be more complexdatabase queries and retrievals of information obtained from the historyof transactions that have been processed by the payment facilitatorsystem. In another embodiment, the historical information may also beobtained from a database maintained by a sale facilitating system inaddition to or in place of historical information obtained from thepayment facilitator system.

Analyses for whether the addresses and other information containedwithin the transaction information are syntactically correct or whetherthe addresses or other identifying information exists may be referred toas suspect data rules. Example suspect data rules include the following:

-   -   a. is the shipping address a real address?    -   b. is the shipping address used with multiple different buyers?    -   c. is the billing address a real addresses?    -   d. is the billing address used with multiple different buyers?    -   e. is the shipping address implicated in prior possible        fraudulent transactions?    -   f. does the buyer and/or seller financial account meet the        format requirements of the type of account it represents?    -   g. are the buyer and seller phone numbers real phone numbers?    -   h. are the seller and shipping addresses the same?

Analyses which require more complex analysis of databases of the paymentfacilitator system and/or a sale facilitating system may be referred toas velocity rules. Generally, velocity rules check to see if there hasbeen an inordinate amount of activity involving some piece of thetransaction information. That is, the rules cause the fraud detectionsoftware to determine whether there has been excessive activity that maylead to a conclusion that the transaction may be fraudulent. In oneembodiment, velocity rules may involve analysis of transaction volumeover a given period of time for the buyer and/or seller, transactiondollar value totals for the buyer and/or seller for a given period oftime, etc. In another embodiment, velocity checks may also includeanalysis of how frequently the specified financial account number orbuyer has been declined authorization. In general, determining thatthere has been excessive activity with one seller may evidence that aninnocent seller may be the target of a fraudulent buyer or group ofbuyers. On the other hand, excessive seller activity may also evidencethat the seller is involved in committing a fraud. Although evidence offraud may exist, it may be difficult to classify whether the fraud wascommitted by the buyer or by the seller. Therefore, if evidence of fraudappears to be present in a transaction, the transaction is sent to andexamined by a fraud investigator so that false positives are minimized.

A more specific example of a velocity rule is determining whether theseller's account has been used beyond some determined threshold duringsome set period of time. Another example is determining whether thebuyer's credit card has been used for a number of transactions exceedinga predetermined acceptable number of daily (or hourly or weekly, etc.)transactions. Further examples of velocity rules follow:

-   -   a. does the dollar value of transactions from a single seller        exceed $1,000 per financial account per $10,000 worth of        transactions on the payment facilitator system?    -   b. has the buyer's financial account been used with the seller        more than 3 times in the past hour?    -   c. has the buyer's financial account been used with the seller        more than 3 times during the last 1000 transactions on the        payment facilitator system?    -   d. has the buyer spent more then $1,000 in 12 hours?    -   e. has the buyer's financial account been involved with        transactions exceeding $1,000 in 12 hours?    -   f. has the buyer's financial account been involved with more        than $10,000 in one month?    -   g. have the buyer and seller been involved with more than $1,000        of transactions with one another in 12 hours?    -   h. has the buyer's financial account been used with the seller        more than 3 times in the past 100 transactions with the seller?    -   i. has the shipping address been specified more than 3 times in        12 hours?    -   j. has the shipping address been specified more than 3 times in        the last 100 transactions involving the seller?    -   k. has the seller's or buyer's IP address been involved with        more than 3 transactions in the past 100 transactions on the        payment facilitator system?    -   l. has the buyer's IP address been involved with more than        $1,000 transactions in the past 12 hours of transactions on the        payment facilitator system?

This list includes just a few of many possible rules. In one embodiment,the dollar amounts and numbers may remain constant and may only bechanged by a system operator. In one embodiment, the amounts andthresholds may be automatically adjusted based on the kind of goodssold, the kind of seller, and other variables. The dollar amounts andthresholds listed above are examples and may be any dollar amounts orthresholds that serve as accurate indicators of a possible fraudulenttransaction.

In another embodiment, the rule-based analysis may check for fraud byissuing queries regarding information provided by the buyers andsellers, checking blacklists of various information included with thetransaction data, checking with external credit bureaus, etc. bycommunicating with one or more third party database servers, one or morethird party blacklist servers, one or more external credit bureaus, etc.in addition to checking the database of the payment facilitator systemand the sale facilitating system. In one embodiment, the same financialinstitution that was consulted to approve the transaction may also serveas a third party database server, third party blacklist server, externalcredit bureau, etc. with which the rule-based analysis interacts toexecute and evaluate rules.

A numerical value is associated with each rule. Each time a rule isfound to be violated, the score for the transaction is incremented bythe amount associated with the rule. The fraud detection software sets athreshold such that after the rule analyses have been completed, when ascore exceeds the threshold, the transaction is considered potentiallyfraudulent. The numerical values may be weighted according to theparticular rule and need not be uniform. In some embodiments, atransaction that violates one velocity rule may cause the threshold tobe exceeded, while violating one suspect data rule may not cause thethreshold to be exceeded. After the rule analysis is performed, thefraud detection software checks to determine whether the score totalexceeds the threshold, as shown in block 422. If the threshold isexceeded, the fraud detection software routes the transactioninformation and rule violation information to a human investigator, asshown in block 430. In one embodiment, the routing is achieved viaemail. In one embodiment, the rule violation information may be a codedesignating which rules were violated, a textual description of therules violated, or both. The code may be any combination of letters,numbers or symbols that uniquely identifies the rule violated. If thescore total does not exceed the threshold, as shown in block 422, thefraud detection software accepts the transaction. With regard to block312 of FIG. 3, a transaction is considered fraudulent when the scoretotal exceeds the defined threshold as in Block 422 of FIG. 4.

In the foregoing specification, the invention has been described withreference to specific embodiments. It will, however, be evident thatvarious modifications and changes can be made thereto without departingfrom the broader spirit and scope of the invention as set forth in theappended claims. The specification and drawings are, accordingly, to beregarded in an illustrative rather than a restrictive sense.

1. A method for detecting fraud by a payment facilitator whenfacilitating a payment transaction over a global wide area network, themethod implemented in a computer-readable storage medium and executed bya server, the method comprising: receiving, by the payment facilitatorvia a web site interface associated with the payment facilitator, saleinformation pertaining to a purchase of a product from a seller, whereinthe sale information includes an email address for the seller;receiving, by the payment facilitator via the web site interface,payment information from a buyer, where the payment information includesan email address for the buyer, and wherein the payment information isreceived from the buyer in response to an email generated invoice sentto the email address of the buyer or sent in response to an emailgenerated notification of a location that the buyer can acquire theemail generated invoice where the location is sent to the email addressof the buyer; performing, by the payment facilitator, automated analysisof transaction information including the sale information and thepayment information to detect whether the transaction informationindicates fraud, and wherein the payment facilitator executes a softwareprogram to process at least some information associated with historicalinformation, in order to determine whether fraud is present; if theautomated analysis does not detect fraud, the payment facilitator sendsinformation via email to the email address of the seller instructing theseller to send the product to the buyer, credits an account of theseller for the purchase in response to an indication that the buyerreceived the product, and the payment facilitator directly contacts afinancial institution associated with the buyer, via a dedicated line,and debits another account associated with the buyer at that financialinstitution; when the financial institution requests additionalinformation from the payment facilitator before determining whetherfraud exists, the payment facilitator automatically issues emailmessages to the buyer or the seller requesting information to clarifyrequests of the financial institution and again attempts to obtainapproval from the financial institution with the clarifying information;and if the automated analysis detects fraud, the payment facilitatorcauses an enhanced transaction information to be communicated to a humanfor manual fraud analysis.
 2. The method of claim 1 wherein the saleinformation is received from a seller, and the method further comprises:communicating an invoice to a buyer.
 3. The method of claim 1 furthercomprising: performing simple screening of the transaction information.4. The method of claim 3 wherein performing simple screening comprises:determining whether a financial account specified as part of the paymentinformation is on a list of known fraudulent financial account numbers;determining whether the name of the buyer or the name of the seller ison a list of known fraudulent users; determining whether a shippingaddress specified as part of the payment information is on a list ofknown fraudulent addresses; determining whether a billing addressspecified as part of the payment information is on a list of knownfraudulent addresses; determining whether an email address of the buyeror the seller is on a list of known fraudulent email addresses; anddetermining whether an Internet protocol (IP) address of the buyer orthe seller is on a list of known fraudulent IP addresses.
 5. The methodof claim 1 further comprising: seeking approval from the financialinstitution based on the payment information.
 6. The method of claim 5wherein seeking approval comprises: sending a request for approval thatcomprises at least an account information extracted from the paymentinformation and an amount information to a financial institution;receiving from the financial institution a response to the request;rejecting the payment transaction or continuing with the paymenttransaction responsive to the response.
 7. The method of claim 1 whereinperforming automated analysis comprises: performing rule-based analyses.8. The method of claim 7 wherein performing rule-based analysescomprises: applying a plurality of rules to the transaction informationsuch that a score for the payment transaction is incremented when one ofthe rules is violated.
 9. The method of claim 8 wherein performingrule-based analyses further comprises: creating the enhanced transactioninformation if the score exceeds a predefined threshold such that theenhanced transaction information comprises a tracking number, the score,and a violated rule information.
 10. The method of claim 8 whereinapplying comprises: incrementing the score responsive to a numeric valueassigned to the rule violated.
 11. The method of claim 8 wherein theplurality of rules comprise a plurality of suspect data rules and aplurality of velocity rules.
 12. The method of claim 11 wherein theplurality of suspect data rules comprise: comparison of a shippingaddress with a directory of known real addresses; comparison of ashipping address with a list of addresses implicated in prior possiblyfraudulent transactions; comparison of a billing address with adirectory of known real addresses; and comparison of a billing addresswith a list of addresses implicated in prior possibly fraudulenttransactions.
 13. The method of claim 11 wherein the plurality ofvelocity rules comprise: determining whether a first number oftransactions involving the seller exceeds a first predefined thresholdfor a first predefined time period; determining whether a second numberof transactions involving the buyer exceeds a second predefinedthreshold for a second predefined time period; determining whether afirst total dollar amount for a first plurality of transactionsinvolving the buyer exceeds a third predefined threshold for a thirdpredefined time period; determining whether a second total dollar amountfor a second plurality of transactions involving the seller exceeds afourth predefined threshold for a fourth predefined time period;determining whether a third total dollar amount for a specifiedfinancial account exceeds a fifth predefined threshold for a fifthpredefined time period; and determining whether a third number oftransactions involving the specified financial account exceeds a sixthpredefined threshold for a sixth predefined time period.
 14. The methodof claim 11 wherein the plurality of velocity rules comprise:determining whether a financial account specified as part of the paymentinformation has exceeded a predetermined acceptable number of times usedover a predetermined period of time; determining whether a financialaccount specified as part of the payment information has exceeded apredetermined acceptable number of times used over a predeterminednumber of transactions with the seller; and determining whether afinancial account specified as part of the payment information hasexceeded a predetermined acceptable number of times used over apredetermined number of transactions with the payment facilitator. 15.The method of claim 1 wherein communicating an enhanced transactioninformation comprises sending an email message to at least one of aplurality of human fraud investigators.
 16. The method of claim 1further comprising: if the analyzing indicates fraud, notifying thebuyer and/or a seller that the payment transaction is on hold pendingthe outcome of a fraud investigation.
 17. The method of claim 16 whereinnotifying comprises: sending an email message to the buyer and/or theseller.
 18. A system comprising: a first computer supportingcommunications over a wide area network by a buyer, wherein thecommunications over the wide area network occur via a web site interfacefor a payment facilitator; a second computer supporting communicationsover the wide are network by a seller, wherein the communications overthe wide area network occur via the web site interface for the paymentfacilitator; the payment facilitator computer supporting communicationsover the wide are network and executing software that facilitates apayment transaction between the buyer and the seller, wherein thefacilitator computer is to receive payment information from the buyerand to analyze the payment transaction for fraud by applying a pluralityof rules and incrementing a score for the payment transaction for eachof the plurality of rules that is violated, if the score does not exceeda predefined threshold, instructs the seller via email to send apurchased product to the buyer, credits an account of the seller for thepayment transaction in response to an email indication from the buyerthat the buyer received the purchased product, and the paymentfacilitator directly contacts a financial institution associated withthe buyer, via a dedicated line, and debits another account associatedwith the buyer at that financial institution and when the financialinstitution requests additional information from the payment facilitatorbefore determining whether fraud exists the payment facilitatorautomatically issues email messages to the buyer or the sellerrequesting information to clarify requests of the financial institutionand again attempts to obtain approval from the financial institutionwith the clarifying information before debiting the account of the buyerwith the financial institution, and if the score exceeds a predefinedthreshold, communicates an information about the payment transaction toa human fraud investigator, and wherein a number of the rules areapplied in response to information related to historical informationthat compliments the rules.
 19. The system of claim 18 furthercomprising: a fourth computer capable of communications with the thirdcomputer and allowing the human fraud investigator to communicate withthe third computer.
 20. The system of claim 19 wherein the thirdcomputer is coupled to the fourth computer via a dedicatedcommunications line.
 21. The system of claim 19 wherein the thirdcomputer communicates with the fourth computer over the wide areanetwork.
 22. The system of claim 18 further comprising: a fifth computercapable of communications with the third computer and responding onbehalf of the financial institution to a request for authorization ofthe payment transaction initiated by the software executing on the thirdcomputer.
 23. The system of claim 22 wherein the third computer iscoupled to the fifth computer via a dedicated communications line. 24.The system of claim 22 wherein the third computer communicates with thefifth computer over the wide area network.
 25. The system of claim 18wherein the wide area network is the Internet.
 26. A machine readablemedium having stored thereon instructions which when executed by aprocessor cause the machine to perform a method for detecting fraud by apayment facilitator when facilitating a payment transaction over aglobal wide area network, the method comprising: receiving, via a website interface of the payment facilitator, sale information pertainingto a purchase of a product from a seller, and wherein the saleinformation includes an email address for the seller; receiving, via theweb site interface of the payment facilitator, payment information froma buyer, and wherein the payment information includes an email addressfor the buyer; performing, by the payment facilitator, automatedanalysis of transaction information including the sale information andthe payment information to detect whether the transaction informationindicates fraud, and wherein the payment facilitator acquires at leastsome information related to historical information, in order todetermine if fraud is present; if the automated analysis does not detectfraud, the payment facilitator sends information via email instructingthe seller to send the product to the buyer, credits an account of theseller for the purchase in response to an email indication that thebuyer received the product, and the payment facilitator directlycontacts a financial institution associated with the buyer, via adedicated line, and debits another account associated with the buyer atthat financial institution; when the financial institution requestsadditional information from the payment facilitator before determiningwhether fraud exists the payment facilitator automatically issues emailmessages to the buyer or the seller requesting information to clarifyrequests of the financial institution and again attempts to obtainapproval from the financial institution with the clarifying information;and if the automated analysis detects fraud, the payment facilitatorcauses an enhanced transaction information to be communicated to a humanfor manual fraud analysis.
 27. The machine readable medium of claim 26wherein the instructions cause the machine to perform operations furthercomprising: performing simple screening of the transaction information.28. The machine readable medium of claim 27 wherein performing simplescreening comprises: determining whether a financial account specifiedas part of the payment information is on a list of known fraudulentfinancial account numbers; determining whether the name of the buyer orthe name of the seller is on a list of known fraudulent users;determining whether a shipping address specified as part of the paymentinformation is on a list of known fraudulent addresses; determiningwhether a billing address specified as part of the payment informationis on a list of known fraudulent addresses; determining whether an emailaddress of the buyer or the seller is on a list of known fraudulentemail addresses; and determining whether an Internet protocol (IP)address of the buyer or the seller is on a list of known fraudulent IPaddresses.
 29. The machine readable medium of claim 26 wherein theinstructions cause the machine to perform operations further comprising:seeking approval from the financial institution based on the paymentinformation.
 30. The machine readable medium of claim 29 wherein seekingapproval comprises: sending a request for approval that comprises atleast an account information extracted from the payment information andan amount information to a financial institution; receiving from thefinancial institution a response to the request; rejecting the paymenttransaction or continuing with the payment transaction responsive to theresponse.
 31. The machine readable medium of claim 26 wherein performingautomated analysis comprises: performing rule-based analyses.
 32. Themachine readable medium of claim 31 wherein performing rule-basedanalyses comprises: applying a plurality of rules to the transactioninformation such that a score for the payment transaction is incrementedwhen one of the rules is violated.
 33. The machine readable medium ofclaim 32 wherein performing rule-based analyses further comprises:creating the enhanced transaction information if the score exceeds apredefined threshold such that the enhanced transaction informationcomprises a tracking number, the score, and a violated rule information.34. The machine readable medium of claim 32 wherein applying comprises:incrementing the score responsive to a numeric value assigned to therule violated.
 35. The machine readable medium of claim 32 wherein theplurality of rules comprise at least one of a plurality of suspect datarules and a plurality of velocity rules.
 36. The machine readable mediumof claim 26 wherein communicating an enhanced transaction informationcomprises sending an email message to at least one of a plurality ofhuman fraud investigators.
 37. The machine readable medium of claim 26wherein the instructions cause the machine to perform operations furthercomprising: if the analyzing indicates fraud, notifying the buyer and/ora seller that the payment transaction is on hold pending the outcome ofa fraud investigation.
 38. The machine readable medium of claim 37wherein notifying comprises: sending an email message to the buyerand/or the seller.